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A data carrier with a semiconductor chip (5) having at least one memory in 
which an operating program containing a plurality of commands is stored, each 
command causing signals detectable from outside the semiconductor chip (5), 
characterized in that the data carrier (1) is designed to perform security- 
relevant operations solely executing operating program commands of such a 
kind, or executing said commands in such a way, that the data processed with 
the corresponding commands cannot be inferred from the detected signals. 
A data carrier according to claim 1, characterized in that the commands used 
are designed for at least byte-bgbyte processing of data. 
A data carrier according to either of the abovo claima , characterized in that the 
commands used are indistinguishable with respect to the signal patterns caused 
thereby. ^ 

A data carrier according to onyof tho above claims , characterized in that the 

A 

commands used each lead to a signal pattern which is substantially independent 

of the data processed with the command. 

QMUHL " 

A data earner according to a ny of the abov o cla irm, characterized in that the 

A 

operating program is able to execute a series of operations (J), input data being 
required for executing the operations (J) and output data being generated by 
execution of the operations (/), whereby 

the input data are falsified by combination with auxiliary data (Z) before 

execution of one or more operations (/), 

the output data determined by execution of the one or more operations (J) 
are combined with an auxiliary function value (/(Z)) in order to compen- 
sate the falsification of the input data, 

whereby the auxiliary function value (j{Z)) was previously determined by 
execution of the one or more operations (J) with the auxiliary data (Z) as 
input data in safe surroundings and stored on the data carrier (1) along 
with the auxiliary data (Z). 
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A data earner according to claim 5, characterized in that the combination with 
the auxiliary function values (flZ)) for compensating the falsification is per- 
formed at the latest directly before execution of an operation (g) which is non- 
linear with respect to the combination generating the falsification 
A data earner accordmg to e it her of claimc 5 and 6 , characterized in that the 
auxiliary data (Z) are varied, the corresponding auxiliary function values (/(Z)) 
being stored in the memory of the data carrier (1). 

A data carrier according to claim 7, characterized in that new auxiliary values 
(Z) and new auxiliary function values (/(Z)) are generated by combining two or 
more existing auxiliary data (Z) and auxiliary function values (/(Z)). 
A data carrier according to claim 8, characterized in that the existing auxiliary 
data (Z) and auxiliary function values (/(Z)) intended for the combination are 
each selected randomly. 

A data earner accordmg to any of claim3 5 to 7 , characterized in that pairs of 
auxiliary data (Z) and auxiliary function values (/(Z)) are generated by a gen- 
erator without the operation (/(ZY) being applied to the auxiliary data (Z). 
A data carrier according to yy^^laimj 5 to 10, characterized in that the aux- 
iliary data (Z) are a random number. 

A data carrier according to ■ ony'^c^ms 5 to H , characterized in that the 

A 

combination is an EXOR operation. 

A data carrier according to any ottiio above claims, characterized in that a olu- 
rality of operations can be executed with the operating program, it holding for 
at least a subset of said operations that the total result achieved by execution of 
several operations of the subset does not depend on the order of execution of 
the operations, and the order of execution of the stated subset of operations is 
varied at least when the subset contains one or more security-relevant opera- 
tions. 

A data carrier according to claim 13, characterized in that the order of execu- 
tion is varied at each run through the stated subset of operations. 
A data carrier according to claim 13 or 14; characterized in that the order of 
execution is varied according to a fixed principle. 
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16. A data earner according to claim 13 ee44-, characterized in that the order of 
execution is varied randomly. 

17. A data earner according to eit h er of olaimo 13 and 1 -4-, characterized in that the 
order of execution is varied in accordance with the data processed with the op- 
erations (f). 

iq a -a . dtiurt 13 

18. A data carrier according to any ofolaima 13 to 17; characterized in that the 
order of execution is fixed before execution of the first operation (J) of the sub- 
set for all operations of the subset whose execution is intended to be directly 
successive. 

1 9. A data carrier according to «jy^ claimc 13 to 1 % characterized in that it is 
fixed before the onset of execution of an operation (/) of the subset which op- 
eration of the subset whose execution is intended to be successive is executed 
next. 

20. A data carrier according to any^of the above claims , characterized in that the 
security-relevant operations are key permutations or permutations of other se- 
cret data. 

21. A data carrier according to an^/tno above claims , characterized in that the 

A 

data carrier is a smart card. 

22. A method for executing security-relevant operations in a data carrier (1) with a 
semiconductor chip (5) having at least one memory in which an operating pro- 
gram containing a plurality of commands is stored, each command causing sig- 
nals detectable from outside the semiconductor chip (5), characterized in that 
the data carrier performs security-relevant operations (J) solely using operating 
program commands of such a kind, or using said commands in such a way, that 
the data processed with the corresponding commands cannot be inferred from 
the detected signals. 

23. A method according to claim 22, characterized in that the commands used em- 
ploy data present at least byte by byte. 
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24. A method according to either of claims 22 and 23 , characterized in that the 

A 

commands used are indistinguishable with respect to the signal patterns caused 
thereby. 
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25. A method according to my of olaimo 22 to 24, characterized in that the com- 
mands used each lead to a signal pattern which is substantially independent of 
the data processed with the command. 

26. A method for protecting secret data serving as input data for one or more op- 
erations, characterized in that 

the mput data are falsified by combination with auxiliary data (Z) before 
execution of the one or more operations (/), 

the output data determined by execution of the one or more operations if) 
are combined with an auxiliary function value (/(Z)) in order to compen- 
sate the falsification of the input data, 

whereby the auxiliary function value (/(Z)) was previously determined by 
execution of the one or more operations if) with the auxiliary data (Z) as 
input data in safe surroundings and stored along with the auxiliary data 
(2). 

27. A method according to claim 26, characterized in that the combination with the 
auxiliary function values (/(Z)) for compensating the falsification is performed 
at the latest directly before execution of an operation (g) which is nonlinear 
with respect to the compensatipn generating the falsification 

IX. A method according to c ither o f cla i ms 26 and 27 ; characterized in that the 

A 

auxiliary data (Z) are varied, the corresponding auxiliary function values (/(Z)) 
being stored in the memory of the data carrier. 
!9. A method according to claim 28, characterized in that new auxiliary values (Z) 
and new auxiliary function values (/(Z)) are generated by combination of two 
or more existing auxiliary data (Z) and auxiliary function values (ftZ)). 

0. A method according to claim 29, characterized in that the existing auxiliary 
data (Z) and auxiliary function values (/(Z)) intended for the combination are 
each selected randomly. + 

1. A method according to any o^^aim^fe to 30; characterized in that pairs of 
auxiliary data (Z) and auxiliary function values (/(Z)) are generated by a gen- 
erator without the operation (/(Z)) being applied to the auxiliary data (Z). 
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32. A method according to nny of c l aimed to 31 , characterized in that the auxil- 
iary data (Z) are a random number. 

33. A method according to J^^folama 26 to 32 , characterized in that the combi- 
nation is an EXOR operation. 

34. A method for executing a plurality of operations (f) within the operating system 
of a data carrier (1), it holding for at least a subset of said operations that the 
total result achieved by execution of several operations of the subset does not 
depend on the order of execution of the operations, and the order of execution 
of the stated subset of operations is varied at least when the subset contains one 
or more security-relevant operations. 

35. A method according to claim 34, characterized in that the order of execution is 
varied at each run through the stated subset of operations. 

36. A method according to claim 34 vrtfr, characterized in that the order of exe- 
cution is varied according to a fixed principle. 

37. A method according to claim 34 es^Sf characterized in that the order of exe- 
cution is varied randomly. 

38. A method according to- oithor §^$mmstl4 and 35, characterized in that the or- 
der of execution is varied in accordance with the data processed with the op- 
erations if). 

39. A method according to any ofolaima 34 tu 3 8, characterized in that the order 
of execution is fixed before execution of the first operation of the subset for all 
operations of the subset. . . 

cJou 35 

40. A method according to anyof claims 35 to 39 ; characterized in that it is fixed 
before the onset of execution of an operation (f) of the subset which operation 
of the subset whose execution is intended to be successive is executed next. 
A method according to - any o^oiaim^22 to 4t> , characterized in that the secu- 
rity-relevant operations are key permutations or permutations of other secret 
data. 



41. 
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